Академический Документы
Профессиональный Документы
Культура Документы
Introduction
It’s a simple truth: applying patches is the only definitive way to keep
vulnerable systems from being exploited. Accordingly, the vast majority of
organizations acknowledge the need to have a formal patch management
strategy and solution. Furthermore they clearly recognize that the demands in
this area are escalating due to the proliferation of new vulnerabilities and the
rapid emergence of associated threats. Seemingly irreversible conditions
require that organizations not only deploy more patches than ever before, but
also that they do so with a much greater degree of urgency.
Overview of Benefits
Page - 1
It could also be argued that administrator and end-user productivity gains due
to incurring fewer successful attacks deserve to be classified as quantifiable
benefits. However, it is probably more appropriate to classify these as red
herrings. The problem in this case is that the potential gains hinge on the
anticipation of remediating a vulnerability much sooner than would otherwise
be possible (which is fundamentally different than doing it more efficiently).
But there are several challenges with this notion. First, the presence of
intermediate steps in the process which are necessarily manual diminishes the
potential improvement in the overall ‘elapsed time’ before a patch is applied
and, more importantly, complicates its quantification. The second challenge is
assigning a value to whatever degree of improvement is actually attained. By
how many will the number of successful attacks actually be reduced? One can
only guess.
Finally, there is the point that taking advantage of any gain in this area
requires the patch management process to be executed more frequently. In
the extreme, it would need to be conducted every time a patch became
available – as opposed to the widely favored approach of executing it at
regularly scheduled intervals (e.g., monthly). Overall, it is expected that the
cost of these extra cycles (i.e., rollouts) would offset the productivity savings
attributable to experiencing a few less successful attacks. In any event, this
potential benefit is simply too difficult to defend concretely and, therefore, is
relegated to the qualitative category.
• Loss of data;
• Loss of revenue;
• Loss of credibility with customers and partners; and,
• Legal action/liability.
Page - 2
Description of Scenario
Examination of Findings
Speaking of cost advantages, the outcome for the given scenario is that, due
to a per-computer reduction in patch management costs from $222 to $40 per
year, an automated patch management solution is projected to yield an annual
savings of approximately $182,000. In other words, without even accounting
for any of the associated qualitative benefits, automated patch management
will provide an ROI of approximately 450%, essentially paying for itself in less
than three months.
Page - 3
As noted earlier, the cost analysis model and resulting savings projections of
Table 1 are based on a wealth of experiential data. Nonetheless, it is
appropriate to acknowledge that a number of factors can impact the real-world
outcome for any given organization. Some of the more significant ones
include:
• Size of organization;
• Degree of centralization/de-centralization;
• Level of administrator expertise;
• Diversity of operating systems;
• Diversity of application portfolio;
• Complexity of system configurations; and,
• Enterprise policies and procedures
Summary
In this day and age of vulnerability proliferation and fast-following threats,
automated patch management is an intuitively appealing solution. The
qualitative benefits alone can often be quite compelling, with better (i.e., more
accurate and potentially quicker) patching leading to an overall reduction in
risk as a result of incurring fewer successful attacks. In addition, for
organizations seeking more concrete evidence, it can fortunately be found in
the form of quantifiable cost savings. Specifically, it is expected that an
enterprise patch management solution featuring a high degree of automation
will reduce the annual cost to patch a single computer from $222 to $40,
representing an annual savings of over $180,000 for an organization with
1000 workstations.
Page - 4
Footnotes:
Page - 5
Preparation starts with the highly manual effort of deciding on the particulars
of how to deploy a patch, or more likely, a package of several patches. This
entails answering questions such as: Which machines should be excluded?
How will reboots be handled? Will the rollout be phased and, if so, how? What
are the timing details (e.g., deadlines, maintenance windows)? It also
involves collecting the patches themselves, and finally scripting or otherwise
configuring the details of the deployment plan into an appropriate tool.
Page - 6
Summary of Costs
Manual Automated
Notes
Patch Process $222,350 $19,604
Patch Management Software $0 $18,000
Patch Management Hardware $0 $800 annual cost = one time cost
divided by 3 years
Patch Management Training $0 $250 annual cost = one time cost
divided by 3 years
Patch Management Installation $0 $400 annual cost = one time cost
divided by 3 years
Annual Maintenance $0 $480 20% of one-time hardware costs
Page - 7
Page - 8
PatchLink Corporation
Scottsdale, AZ 85255
480.970.1025
www.patchlink.com
Page - 9